From 74330002076811f7428789ccee89943e2e6b1da5 Mon Sep 17 00:00:00 2001
From: Graham Dumpleton <Graham.Dumpleton@gmail.com>
Date: Sun, 15 Apr 2012 15:15:55 +1000
Subject: Remove HTTPS variable from WSGI environment ensuring that only
 wsgi.url_scheme is present. This is to stop use/abuse of this variable by non
 conformant WSGI applications.

---
 mod_wsgi.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/mod_wsgi.c b/mod_wsgi.c
index 221ae93..a75d36c 100644
--- a/mod_wsgi.c
+++ b/mod_wsgi.c
@@ -3588,6 +3588,18 @@ static PyObject *Adapter_environ(AdapterObject *self)
         Py_DECREF(object);
     }
 
+    /*
+     * We remove the HTTPS variable because WSGI compliant
+     * applications shouldn't rely on it. Instead they should
+     * use wsgi.url_scheme. We do this even if SetEnv was
+     * used to set HTTPS from Apache configuration. That is
+     * we convert it into the correct variable and remove the
+     * original.
+     */
+
+    if (scheme)
+        PyDict_DelItemString(vars, "HTTPS");
+
     /*
      * Setup log object for WSGI errors. Don't decrement
      * reference to log object as keep reference to it.
-- 
cgit v1.2.1